How to ensure business processes are compliant with sustainability regulations
In this fourth blog post on BPI for Sustainability, I am sharing how SAP Signavio can help companies to ensure that processes are compliant with the ever-growing number of sustainability regulations. To illustrate this use case, I am taking an example relating to the new regulations enforced globally around the topic of Extender Producer Responsibility (EPR).
The key take-aways from reading this blog post are:
1) understand the steps required to integrate sustainability regulations to existing risks frameworks within an organization
2) understand how to identify risks within the impacted processes and define controls to mitigate the risks
3) understand how to implement a process governance workflow
Business Process Management has traditionally been a practice to help organizations manage their risks and compliance. Particularly in highly regulated industries such as financial services, BPM tools have been widely leveraged to map out risk frameworks and required controls within business processes.
With the growing number of sustainability related policies coming into effect globally, organizations need to incorporate these into their existing risk management frameworks to assess appropriate actions. In general policies are delivered in different forms and through varying instruments. Regulatory policies (or mandates) compel certain types of behaviors, limiting the discretion of an organization; behavior is regulated, and “bad” behavior is punished through fines or sanctions. Economic incentives and market-based instruments (such as taxes, tax incentives, permits and fees) can be effective in encouraging compliance or certain types of behavior.
For organizations, non-compliance to these types of policy measures can have substantial negative impact such as:
- Risk of losing license to operate
- Risk of substantial financial obligations due to imposed fines
- Risk of losing access to customers, talent, capital due to reputational damage (media attention, court cases, etc.)
Therefore, organizations need to continuously assess how they are impacted by current and upcoming regulations and decide how to deal with them. This is part of the risk management function of an organization and should follow the established risk management framework and its methods to assess risks.
Once risks have been identified and classified, BPM comes into play to:
- Document risks in a risk repository to make them available for the organization
- Identify risks in business processes with regards to complying to regulatory requirements
- Define controls for the identified risks to mitigate or eliminate the risks
In addition, SAP Signavio can support businesses to:
- Implement process governance workflows to better manage controls
- Automate labor intensive compliance tasks to improve process efficiencies
- Monitor process conformance and create awareness on compliance topics across the organization
Use case example: Global electronics producer
For our use case we step into the shoes of a global electronics producer. This is a fictitious scenario as for all use cases I describe in my blog posts on this topic.
The company has a larger entity in Germany with over 3,000 employees. Thus, the company needs to comply with the new Extended Producer Responsibility Act (Lieferkettensorgfaltspflichtengesetz in German) coming into effect in January 1, 2023.
The Act obligates companies to comply with the “human rights and environmental due diligence obligations set out in sections 3 to 10 of the Act in an appropriate manner with the aim of preventing or minimizing human rights or environmental risks or ending the violation of human rights or environmental obligations”.
In a nutshell this means that the company must ensure the following:
- Perform a risk analysis against the described scope
- Make a policy statement demonstrating commitment to the obligations
- Implement preventive controls within its business processes and extended value chain (direct suppliers)
- Implement a complaint system to allow reporting of violations
- Take immediate actions in case of violations
- Provide documentation and reporting on the compliance of its obligations
In our use case, the company sees this as an opportunity to integrate sustainability regulations into a robust risk and compliance framework that leverages business processes to embed risk and controls, which allows for an effective risk and compliance management as well as internal and external audit process.
They task its risk management team to perform the risk analysis. The risk team set up a task force including process owners and sustainability managers. First task is to understand the scope of the extended producer responsibility act and do a first assessment which parts may pose a material risk to the organization. Outcome of this first assessment is that for some of the scope items concerning environmental aspects, the company has measures in place as they form part of their existing quality standards. For other’s whoever, the assessment shows that there might be risk of non-compliance and given the fact that with enforcement of the EPR act this could lead to significant financial implications, the team recommends capturing and start managing these as risks accordingly.
To help them with this task, they include their BPM CoE colleagues to support them with:
- Maintain a risk repository of the potential risks
- Map out a high-level value chain to help them team understand where risks could occur
- Assign risks to impacted business processes
- Map defined controls for the identified risks
- Design a governance workflow for selected controls
Step 1: Maintain a risk repository
Based on the initial risk assessment done, the team maintains the identified risks in the Dictionary in SAP Signavio. The team decides to start with a new risk category so that they can maintain all sustainability related risks in once central place. As the team expects that different regulations will have overlapping risks, they feel this is an effective way to manage these risks.
For the Extended Producer Responsibility Act the team classified six potential risks that need to be managed.
As a next step the team wants to get a first high-level understanding where these risks could occur in their entire value chain and what are their likelihoods.
Step 2: Map out a high-level value chain
To facilitate the discussion the team takes the end-to-end value chain of the company from raw material to components, design and engineering, manufacturing, sales and distribution, usage, and finally reuse and recycle.
Looking at the classified risks based on the EPR Act, the team believes that the highest risks are in the downstream processes of raw material and components. For its own operations the team has high confidence that there are already controls in place and documented evidence showing compliance with the EPR Act.
On the components side the company works with eight main suppliers that make up over 90% of their components. For six of these suppliers, the company has already proof that they are having controls in place with regards to the scope of the EPR act and they share their regular evaluations. For two of the suppliers the team is less confident as there is no documented proof provided. With regards to their extended suppliers of raw materials the team feels that there is now almost no visibility on controls concerning the scope of the EPR Act.
Therefore, the team recommends focusing on the sourcing and supplier evaluation processes currently in place to assess the risk if existing controls are sufficient or if new ones must be introduced.
The team also decides to kick off an initiative with their key suppliers to adopt similar risk and control processes on their side, to ensure that the entire value chain is managed with regards to the requirements of the EPR Act.
Step 3: Assign risks to impacted business processes
Next the team reviews their sourcing process to understand the potential risk exposure and which controls might already been in place and which ones should be added. The team concludes that two of risks are not yet managed appropriately. They indicate in which process step the risk occurs. As no controls are defined yet, the risk shows a red indicator to make it visible to anyone looking at this process.
Step 4: Map defined controls
Next the team starts defining controls to mitigate the risks. They decide on three new/updated controls:
- Update to the supplier evaluation check
- New periodic review of suppliers
- New complaint process to act on any reported incidence with a supplier
Step 5: Design a governance workflow
The third control concern the requirement to take immediate actions in case the company becomes aware of any potential non-compliance along its value chain with regards to EPR act.
The team decides to introduce a workflow within SAP Signavio Process Governance to ensure that this control is performed as designed. The team models the steps for the workflow and informs all relevant stakeholders about the new process.
In our use case we have seen the steps the electronics producer is taking to comply with the upcoming Extended Producer Responsibility Act in Germany:
- Identify risks in its processes with regards to complying to regulatory requirements
- Define controls to address the identified risks in its processes
- Implement a process governance workflow
Business process management offers great capabilities to help managing risks and compliance for an organization from a business process perspective. When it comes to sustainability, organization can look beyond staying compliant and explore the opportunistic side of sustainability regulations. We will investigate this in my next blog post, when we look at how companies can benefit from the new EU taxonomy framework coming into effect in 2023.
If you are interested to know more about the topic of sustainability you can visit our community page here: https://community.sap.com/topics/sustainability
You can also ask questions about the topic in SAP Community with using this Q&A tag link for Sustainability: https://answers.sap.com/questions/ask.html?primaryTagId=140502597117949649788634441139048
Links to my other Blog Posts
How Business Process Intelligence can accelerate an Organization’s Sustainability Journey
Envision new sustainable business models based on what your customers desire
How to get from Sustainability Insights to Process Action